If you are like me, you are probably excited with how fast Azure Sentinel has grown. This means more capabilities, functions and integrations to work with. So with all that power, how do I build a SOC and operationalize my Security Operations to keep up? At long last, there is a new Workbook to help you do just that... I have spent over a decade helping to build SOCs and together at Microsoft my team of GBB's, built a SOC Process Framework Workbook that combines SOC industry standards and best practices and applied them to Azure Sentinel.
A special thanks to my team members who helped me on this project. (Clive Watson, Beth Bischoff, Chuck Enstall, Josh Heizman, Matthew Littleton) Each one of you brought a wealth of knowledge and a unique perspective. A heart felt Thank you to you all!!
Deploying the Workbook
It is recommended that you have a working instance of Azure Sentinel get the full benefit of the SOC Process Framework Workbook, but the workbook will deploy regardless of your available log sources. Follow the steps below to enable the workbook:
Requirements: Azure Sentinel Workspace and Security Reader rights.
1) From the Azure portal, navigate to Azure Sentinel.
2) Select Workbooks > Templates.
3) Search SOC Process Framework and select Save to add to My Workbooks.
NOTE: If the workbook is not yet available in your Azure Sentinel Workbook Templates, you can pull down a copy by going to my GitHub repo: https://github.com/rinure-msft/Azure-Sentinel/blob/master/Workbooks/SOCProcessFramework.json and simply open a New Workbook and paste in the Gallery Code.
If you need steps on manually deploying the workbook after copying the code from GitHub, I suggest following the instructions from this article that has them outlined: https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate.
There are 14 Processes and 36 Procedures broken into detail to help deliver a comprehensive start to operationalizing Azure Sentinel and applying a SOC methodology.
Working Example of SOC Process Framework Workbook
This workbook is built so that SOC practices can deploy this workbook and edit the following Parameters:
- [CUSTOMER] Simply replace with your customer SOC Name.
- Upload Diagrams and or Docs under the Technology sections.
- Make any necessary changes to fit the way your SOC operates and use this workbook as your Central SOC Operational Process and Procedures Knowledge Base.
This workbook has a TON of features (too many to mention) so go grab this workbook and find out how easy it is to build your SOC processes around Azure Sentinel, XDR, Azure Security Center, or any of our Security tools.
SOC Process Framework - Analytical Processes
There are a couple of other artifacts that are complimentary to this workbook that were uploaded recently! Here they are:
- Get-SOCActions Playbook - Azure-Sentinel/Playbooks/Get-SOCActions at master · rinure-msft/Azure-Sentinel (github.com)
- SocRA Watchlist - https://github.com/rinure-msft/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv
The Get-SOCActions Playbook with "SocRA" Watchlist gives SOCs the ability to onboard SOC Actions for their Analysts to follow that snap to the SOC Process Framework Workbook. As they onboard Use-Cases and apply triage steps, this playbook can then be run to add those steps to the Incident for an Analyst to follow to closure.
I am positive this workbook will help you build a successful SOC framework needed to mature your SOC around Azure Sentinel.
Happy SOC Building!